February 2022 SAP Patch Day released 14 new Security Notes, including two patches for critical network security vulnerabilities that need immediate remediation.
German software multinational SAP and cybersecurity and compliance solutions specialist Onapsis has promptly patched critical network security vulnerabilities identified this month and immediately alerted affected organisations. SAP Product Security Response Team in partnership with Onapsis Research Labs has resolved the cybersecurity threats that were found to affect SAP business applications’ core component, Internet Communication Manager (ICM).
ICM, also known as ICMAD, is responsible for ensuring that SAP System’s (SAP NetWeaver Application Server) communication works seamlessly with the outside world via HTTP, HTTPS, and SMTP protocols. The risk level on the component’s vulnerabilities is greater because of internet and untrusted networks exposure.
On SAP and Onapsis working closely to identify and fix critical issues in SAP software to ensure customers are proactively protected, Richard Puckett, Chief Information Security Officer for SAP, stated:
“SAP has partnered with Onapsis to maintain secure solutions for our global customer base. It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.”
Two Priority Network Security Vulnerabilities
14 new Security Notes were released on the February Security Patch Day, including 10 Hot News tagged with a CVSS score of 10. However, SAP and Onapsis identified two priority security notes that need immediate patch action on affected SAP applications to avoid ICMAD exploitations. Unpatched SAP applications can be exploited and compromised, including SAP users, business information, and processes.
Security Note 3123396, tagged as Hot News with a CVSS score of 10, patches ICMAD vulnerability identified as CVE-2022-22536. The security note covers Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server, and SAP Web Dispatcher.
Security Note 3123427, tagged as High Priority with a CVSS score of 8.1, patches ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533. The security note covers HTTP Request Smuggling in SAP NetWeaver Application Server Java.
Commending SAP’s swift action on these critical cybersecurity threats, CEO and Co-founder of Onapsis Mariano Nunez said:
“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical. We applaud SAP for their rapid response and working with Onapsis Research Labs after being notified by our experts.”
“From swiftly issuing patches to working with our team to test the efficacy of those patches to proactively notifying impacted customers and the broader security community — SAP is setting the bar for what vulnerability disclosure and response looks like and how working with trusted partners like Onapsis better protects its customers,” he added.
The cybersecurity vulnerabilities were uncovered by Onapsis Research Labs following a year-long comprehensive investigation of HTTP Smuggling, which can be utilised to receive malicious payloads to exploit SAP Java or ABAP systems even without multi-factor authentication controls. The identified vulnerabilities were already issued a Current Activity Alert by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
Though no customer breaches have been reported yet, SAP and Onapsis emphasised the need to immediately apply Security Notes 3123396 and 3123427 and Onapsis has a released free open-source tool to help organisations identify vulnerabilities in their SAP systems. In addition, the report highlighted that organisations using Onapsis Assess and/or Onapsis Defend products are protected from the recently identified network security vulnerabilities
“The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92{8bf2b29f36318f0ac46ab1cc03d7035abce669a1cea16c9ed62389a818fa22fd} of the Forbes Global 2000. I am proud of the work our researchers have done to bring these vulnerabilities to light so they could be mitigated and commend SAP for their response and collaboration,” Nuñez stressed.